Australian Government
Information Security Manual
JANUARY 2019
Guidelines for cyber security incidents
Detecting cyber security incidents
Cyber security events
A cyber security event is an occurrence of a system, service or network state indicating a possible breach of security
policy, failure of safeguards or a previously unknown situation that may be relevant to security.
Cyber security incidents
A cyber security incident is an unwanted or unexpected cyber security event, or a series of such events, that have a
significant probability of compromising business operations.
Detecting cyber security incidents
One of the core elements of detecting and investigating cyber security incidents is the availability of appropriate data
sources. Fortunately, many data sources can be extracted from existing systems without requiring specialised
capabilities.
The following table describes some of the data sources that organisations can use for detecting and investigating cyber
security incidents.
Data Source
Description
Domain Name System (DNS) logs
Can assist in identifying attempts to resolve malicious
domains or Internet Protocol (IP) addresses which can
indicate an exploitation attempt or successful
compromise.
Email server logs
Can assist in identifying users targeted with spearphishing emails. Can also assist in identifying the initial
vector of a compromise.
Operating system event logs
Can assist in tracking process execution,
file/registry/network activity, authentication events,
1
operating system created security alerts and other
activity.
Virtual Private Network (VPN) and remote access logs
Can assist in identifying unusual source addresses, times
of access and logon/logoff times associated with
malicious activity.
Web proxy logs
Can assist in identifying Hypertext Transfer Protocol
(HTTP)-based vectors and malware communication
traffic.
In addition, logs created by various security tools and appliances such as antivirus software, content filters and hostbased or network-based intrusion detection or intrusion prevention systems can be captured and correlated alongside
other data sources.
Finally, many potential cyber security incidents are noticed by personnel rather than software tools. As such, successful
detection of cyber security incidents is often based around trained cyber security personnel with access to sufficient
data sources complemented by tools supporting both manual and automated analysis.
Security Control: 0120; Revision: 4; Updated: Sep-18; Applicability: O, P, S, TS; Priority: Must
Cyber security personnel have access to sufficient data sources and tools to ensure that any security alerts generated by
systems are investigated and that systems and data sources are able to be searched for key indicators of compromise
including but not limited to IP addresses, domains and file hashes.
Further information
Further information on detecting cyber security incidents can be found in the Event logging and auditing section of
the Guidelines for system monitoring.
Managing cyber security incidents
Responsibilities and procedures
Documenting responsibilities and procedures for managing cyber security incidents in a system’s System Security Plan
(SSP), Standard Operating Procedures (SOPs) and Incident Response Plan (IRP) ensures that when a cyber security
incident does occur, personnel can respond in an appropriate manner. In addition, ensuring that users are aware of
reporting procedures assists in capturing any cyber security incidents that a system manager fails to notice.
Security Control: 0122; Revision: 3; Updated: Sep-18; Applicability: O, P, S, TS; Priority: Must
Cyber security incident responsibilities and procedures are detailed for each system in their security documentation.
Recording cyber security incidents
The purpose of recording cyber security incidents in a register is to highlight their type and frequency so that corrective
action can be taken. This information, along with information on the costs of any remediation activities, can also be
used as an input to future security risk assessments.
Security Control: 0125; Revision: 3; Updated: Sep-18; Applicability: O, P, S, TS; Priority: Should
Cyber security incidents are recorded in a register with the following information:
the date the cyber security incident occurred
2
the date the cyber security incident was discovered
a description of the cyber security incident
any actions taken in response to the cyber security incident
to whom the cyber security incident was reported.
Handling and containing data spills
When a data spill occurs, organisations should inform information owners and restrict access to the information. In
doing so, affected systems can be powered off, have their network connectivity removed or have additional access
controls applied to the information. It should be noted though that powering off systems could destroy information
that would be useful for forensic investigations. Furthermore, users should be made aware of appropriate actions to
take in the event of a data spill such as not deleting, copying, printing or emailing the information.
Security Control: 0133; Revision: 1; Updated: Sep-18; Applicability: O, P, S, TS; Priority: Must
When a data spill occurs, information owners are advised and access to the information is restricted.
Handling and containing malicious code infections
Taking immediate remediation steps after the discovery of malicious code can minimise the time and cost spent
eradicating and recovering from the infection. As a priority, all infected systems and media should be isolated to
prevent the infection from spreading further. Once isolated, infected systems and media can be scanned by antivirus
software to potentially remove the infection. It is important to note though, a complete operating system restoration
from a known good backup or reinstallation is the only reliable way to ensure that malicious code can be truly
eradicated.
Security Control: 0917; Revision: 6; Updated: Sep-18; Applicability: O, P, S, TS; Priority: Should
When malicious code is detected, the following steps are taken to handle the infection:
the infected system is isolated
all previously connected systems, including any media used in the period leading up to the infection, are scanned
for signs of infection and isolated if necessary
antivirus software is used to remove the infection from infected systems and media
if possible, any previously infected system is restored from a known good backup or rebuilt.
Allowing targeted cyber intrusions to continue
When a targeted cyber intrusion is detected, organisations may wish to allow the intrusion to continue for a short
period of time in order to understand its extent. Organisations allowing a targeted cyber intrusion to continue on a
system should establish with their legal advisors whether the actions are breaching the Telecommunications
(Interception and Access) Act 1979.
Security Control: 0137; Revision: 2; Updated: Sep-18; Applicability: O, P, S, TS; Priority: Must
Legal advice is sought before allowing targeted cyber intrusion activity to continue on a system for the purpose of
collecting further information or evidence.
Post-incident analysis
Post-incident analysis after a targeted cyber intrusion can assist in determining whether an adversary has been
removed from a system. This can be achieved, in part, by conducting a full network traffic capture for at least seven
days. Organisations should then be able to identify anomalous behaviour that may indicate whether the adversary has
persisted on the system or not.
3
Security Control: 1213; Revision: 1; Updated: Sep-18; Applicability: O, P, S, TS; Priority: Should
Post-incident analysis is performed for successful targeted cyber intrusions; this includes storing full network traffic for
at least seven days after a targeted cyber intrusion.
Integrity of evidence
When gathering evidence following any form of cyber security incident, it is important that its integrity is maintained.
Even though an investigation may not directly lead to a law enforcement agency prosecution, it is important that the
integrity of evidence such as manual logs, automatic audit trails and intrusion detection tool outputs be protected.
If the Australian Cyber Security Centre (ACSC) is requested to assist in investigations, the ACSC requests that no actions
which could affect the integrity of evidence be carried out before the ACSC becomes involved.
Security Control: 0138; Revision: 3; Updated: Sep-18; Applicability: O, P, S, TS; Priority: Should
The integrity of evidence gathered during an investigation is maintained by investigators recording all of their actions
and ensuring raw audit trails are copied onto media for archiving.
Further information
Further information on documenting cyber security incident responsibilities and procedures can be found in the
System-specific documentation section of the Guidelines for security documentation.
Further information on event logging, including retention periods, can be found in the Event logging and auditing
section of the Guidelines for system monitoring.
Reporting cyber security incidents
Reporting cyber security incidents
Reporting cyber security incidents to an organisation’s Chief Information Security Officer (CISO), or one of their
delegates, as soon as possible after they occur or are discovered provides senior management with the opportunity to
assess damage to systems and their organisation, and to take remedial action if necessary, including seeking advice
from the ACSC.
Security Control: 0123; Revision: 3; Updated: Sep-18; Applicability: O, P, S, TS; Priority: Must
Cyber security incidents are reported to an organisation’s CISO, or one of their delegates, as soon as possible after they
occur or are discovered.
Security Control: 0141; Revision: 3; Updated: Sep-18; Applicability: O, P, S, TS; Priority: Must
When organisations use outsourced information technology or cloud services, their service providers report all cyber
security incidents to the organisation’s CISO, or one of their delegates, as soon as possible after they occur or are
discovered.
Cyber Security Incident Reporting scheme
The ACSC uses the cyber security incident reports it receives as the basis for providing assistance to organisations.
Cyber security incident reports are also used by the ACSC to identify trends and maintain an accurate threat
environment picture. The ACSC utilises this understanding to assist in the development of new or updated cyber
security advice, capabilities and techniques to better prevent and respond to evolving cyber threats.
Reporting cyber security incidents to the ACSC via the Cyber Security Incident Reporting (CSIR) scheme ensures that the
ACSC receives information in a timely fashion enabling subsequent triage and response activities. Cyber security
incidents not reported through the CSIR scheme are at risk of not being responded to in an efficient and effective
manner. Organisations are recommended to internally coordinate their reporting of cyber security incidents to the
ACSC.
4
Security Control: 0140; Revision: 5; Updated: Sep-18; Applicability: O, P, S, TS; Priority: Must
Cyber security incidents are reported to the ACSC using the CSIR scheme.
Further information
Further information on the CSIR scheme is available at https://www.acsc.gov.au/incident.html.
5
